Online counseling company BetterHelp has agreed to pay $7.8 million to settle charges from the Federal Trade Commission that it improperly shared customers’ sensitive data with companies like Facebook and Snapchat, even after promising to keep it private. The Verge reports: The proposed order, announced by the FTC on Thursday, would ban the same behavior in the future and require BetterHelp to make some changes to how it handles customer data. According to the regulator, the sign-up process for the company’s service “promised consumers that it would not use or disclose their personal health data except for limited purposes.” However, the FTC alleges that the company instead “used and revealed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes.”
The FTC also says that the company gave customer service agents false scripts to try and reassure users that it wasn’t sharing personally identifiable or personal health information after a February 2020 report from Jezebel exposed some of its practices. The commission’s complaint (PDF) accuses the company of misleading customers by putting a HIPAA seal on its website, despite the fact that “no government agency or other third party reviewed [BetterHelp]’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.”
If the FTC’s order ends up going through, the $7.8 million would go to customers who signed up for the service between August 1st, 2017, and December 31st, 2020. Here are some of the other things BetterHelp would be required to do:
– Stop sharing individually identifiable information about consumer’s mental health with any third parties
– Stop misrepresenting its data collection and use policies
– Alert customers who created accounts before January 1st, 2021, that their personal info may have been used for advertising
– Obtain “affirmative express consent” from a customer before sharing information with a third party
– Reach out to third parties that received customer information and ask that it be deleted
– Establish a “comprehensive privacy program” and have an independent third party carry out privacy assessments
Source link
